VMware vSphere 7.0 Virtual Machine Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Copy operations must be disabled on the virtual machine (VM).
<VulnDiscussion>Copy and paste operations are disabled by default; however, explicitly disabling this feature will enable audit controls to v...Rule Low Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Drag and drop operations must be disabled on the virtual machine (VM).
<VulnDiscussion>Copy and paste operations are disabled by default; however, explicitly disabling this feature will enable audit controls to v...Rule Low Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Paste operations must be disabled on the virtual machine (VM).
<VulnDiscussion>Copy and paste operations are disabled by default; however, explicitly disabling this feature will enable audit controls to v...Rule Low Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Virtual disk shrinking must be disabled on the virtual machine (VM).
<VulnDiscussion>Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Virtual disk wiping must be disabled on the virtual machine (VM).
<VulnDiscussion>Shrinking and wiping (erasing) a virtual disk reclaims unused space in it. If there is empty space in the disk, this process ...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Independent, nonpersistent disks must not be used on the virtual machine (VM).
<VulnDiscussion>The security issue with nonpersistent disk mode is that successful attackers, with a simple shutdown or reboot, might undo or...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Host Guest File System (HGFS) file transfers must be disabled on the virtual machine (VM).
<VulnDiscussion>Setting "isolation.tools.hgfsServerSet.disable" to "true" disables registration of the guest's HGFS server with the host. App...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Unauthorized floppy devices must be disconnected on the virtual machine (VM).
<VulnDiscussion>Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Unauthorized CD/DVD devices must be disconnected on the virtual machine (VM).
<VulnDiscussion>Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are...Rule Low Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Unauthorized parallel devices must be disconnected on the virtual machine (VM).
<VulnDiscussion>Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Unauthorized serial devices must be disconnected on the virtual machine (VM).
<VulnDiscussion>Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Unauthorized USB devices must be disconnected on the virtual machine (VM).
<VulnDiscussion>Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Console connection sharing must be limited on the virtual machine (VM).
<VulnDiscussion>By default, more than one user at a time can connect to remote console sessions. When multiple sessions are activated, each t...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Informational messages from the virtual machine to the VMX file must be limited on the virtual machine (VM).
<VulnDiscussion>The configuration file containing these name-value pairs is limited to a size of 1MB. If not limited, VMware tools in the gue...Rule Low Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Unauthorized removal, connection, and modification of devices must be prevented on the virtual machine (VM).
<VulnDiscussion>In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The virtual machine (VM) must not be able to obtain host information from the hypervisor.
<VulnDiscussion>If enabled, a VM can obtain detailed information about the physical host. The default value for the parameter is FALSE. This ...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Shared salt values must be disabled on the virtual machine (VM).
<VulnDiscussion>When salting is enabled (Mem.ShareForceSalting=1 or 2) to share a page between two virtual machines, both salt and the conten...Rule Low Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Access to virtual machines (VMs) through the "dvfilter" network Application Programming Interface (API) must be controlled.
<VulnDiscussion>An attacker might compromise a VM by using the "dvFilter" API. Configure only VMs that need this access to use the API.</V...Rule Low Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
System administrators must use templates to deploy virtual machines (VMs) whenever possible.
<VulnDiscussion>Capture a hardened base operating system image (with no applications installed) in a template to ensure all VMs are created w...Rule Low Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Use of the virtual machine (VM) console must be minimized.
<VulnDiscussion>The VM console enables a connection to the console of a virtual machine, in effect seeing what a monitor on a physical server...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The virtual machine (VM) guest operating system must be locked when the last console connection is closed.
<VulnDiscussion>When accessing the VM console, the guest operating system must be locked when the last console user disconnects, limiting the...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
All 3D features on the virtual machine (VM) must be disabled when not required.
<VulnDiscussion>For performance reasons, it is recommended that 3D acceleration be disabled on virtual machines that do not require 3D functi...Rule Low Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Encryption must be enabled for vMotion on the virtual machine (VM).
<VulnDiscussion>vMotion migrations in vSphere 6.0 and earlier transferred working memory and CPU state information in clear text over the vMo...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Logging must be enabled on the virtual machine (VM).
<VulnDiscussion>The ESXi hypervisor maintains logs for each individual VM by default. These logs contain information including but not limite...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Log size must be configured properly on the virtual machine (VM).
<VulnDiscussion>The ESXi hypervisor maintains logs for each individual VM by default. These logs contain information including but not limite...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.